Yes, you must use controller to filter results to only ownered content, like you did.
Inspired by you, I tried this code, it seems to work well:
./src/api/article/controllers/article.js
module.exports = createCoreController('api::article.article',
({
strapi
}) => ({
async find(ctx) {
const {
filters
} = ctx.query
ctx.query = {
...ctx.query,
filters: {
...filters,
author: {
id: ctx.state.user.id
}
}
}
return await super.find(ctx);
}
}));
(I updated the above is-owner policy code to admit no id params)